Bug 238854

Summary:

archivers/bzip2: Update to 1.0.7 (Fixes security vulnerabilities)

Product:

Ports & Packages

Reporter:

jharris

Component:

Individual Port(s)

Assignee:

Steve Wills <swills>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

delphij, jharris

Priority:

---

Keywords:

needs-qa, security

Version:

Latest

Flags:

jharris: maintainer-feedback+
koobs: merge-quarterly?

Hardware:

Any

OS:

Any

URL:

https://gitlab.com/federicomenaquintero/bzip2/blob/master/NEWS

See Also:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238843

Attachments:

Description	Flags
patch to update bzip2 to 1.0.7	jharris: maintainer-approval+

Description jharris 2019-06-27 19:53:12 UTC

Created attachment 205383 [details]
patch to update bzip2 to 1.0.7

New release, fixes CVE-2016-3189 and CVE-2019-12900:

  https://gitlab.com/federicomenaquintero/bzip2/blob/master/NEWS

Updates WWW to gitlab.com (no tarballs/releases) and MASTER_SITES to sourceware.org, which has a GnuPG signature:

gpg: assuming signed data in `/usr/ports/distfiles/bzip2-1.0.7.tar.gz'
gpg: Signature made Thu Jun 27 18:16:01 2019 UTC using RSA key ID ACD99A78
gpg: using subkey ACD99A78 instead of primary key 49DE760A
gpg: Good signature from "Mark Wielaard <@klomp.org>"
gpg:                 aka "Mark Wielaard <@gnu.org>"
gpg:                 aka "Mark Wielaard <@redhat.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EC3C FE88 F6CA 0788 774F  5C1D 1AA4 4BE6 49DE 760A
     Subkey fingerprint: 1276 8A96 7959 9010 7A0D  2FDF FC57 E3CC ACD9 9A78
gpg: binary signature, digest algorithm SHA256

Old version/mirror at https://sourceforge.net/projects/bzip2/ hasn't caught up...

Comment 1 Xin LI freebsd_committer

2019-06-28 17:13:42 UTC

Unrelated to the update itself, but do we really need a port for bzip2?  It's part of the base system since as late as FreeBSD 5.0 (16 years ago)...

Comment 2 jharris 2019-06-28 17:47:37 UTC

(In reply to Xin LI from comment #1)

Well, I’m already using the updated, CVE-free version without rebooting.  I find value in that.  Also, the code is now in gitlab and under renewed development, which the port makes easy to test.

I personally think it is pointless to continue to bikeshed and/or remove 1 in 32,500 ports, making it harder to test (and atomically cleanup via pkg) new versions of ESSENTIAL software...

How many bytes are we saving, and to what end?

Of course, I’m all for a disclaimers in pkg-descr for the ports that are also in base.

Thanks.

Comment 3 commit-hook freebsd_committer

2019-06-30 21:48:12 UTC

A commit references this bug:

Author: swills
Date: Sun Jun 30 21:47:17 UTC 2019
New revision: 505506
URL: https://svnweb.freebsd.org/changeset/ports/505506

Log:
  Document minor bzip2 issues

  PR:		238854

Changes:
  head/security/vuxml/vuln.xml

Comment 4 commit-hook freebsd_committer

2019-06-30 21:48:14 UTC

A commit references this bug:

Author: swills
Date: Sun Jun 30 21:47:45 UTC 2019
New revision: 505507
URL: https://svnweb.freebsd.org/changeset/ports/505507

Log:
  archivers/bzip2: update to 1.0.7

  PR:		238854
  Submitted by:	jharris@widomaker.com (maintainer)
  MFH:		2019Q2
  Security:	4b6cb45d-881e-447a-a4e0-c97a954ea758

Changes:
  head/archivers/bzip2/Makefile
  head/archivers/bzip2/distinfo
  head/archivers/bzip2/pkg-descr

Comment 5 commit-hook freebsd_committer

2019-06-30 21:49:17 UTC

A commit references this bug:

Author: swills
Date: Sun Jun 30 21:48:25 UTC 2019
New revision: 505509
URL: https://svnweb.freebsd.org/changeset/ports/505509

Log:
  MFH: r505507

  archivers/bzip2: update to 1.0.7

  PR:		238854
  Submitted by:	jharris@widomaker.com (maintainer)
  Security:	4b6cb45d-881e-447a-a4e0-c97a954ea758

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2019Q2/
  branches/2019Q2/archivers/bzip2/Makefile
  branches/2019Q2/archivers/bzip2/distinfo
  branches/2019Q2/archivers/bzip2/pkg-descr

Comment 6 Steve Wills freebsd_committer

2019-06-30 21:49:28 UTC

Committed, thanks!